No it doesn't. The threat model is that the attacker has access to your source code and can remove the obfuscation as easily as you added it.
–
Joan CharmantMar 6 '14 at 15:28

2

Just because the attacker has gained access to the password list, does not mean they have access to the source code. Not saying this idea is valid, but they are two different scenarios.
–
donutdan4114Mar 6 '14 at 21:18

2

They may not, but you must assume that the attacker might: have the source code, be an insider, know an insider, get the source code later, know an insider later, and most likely: will figure out the pattern you're using at some point, at which time everyone will know. Note that critically, "attacker" does NOT mean "the one group that got my hashed passwords first", "attacker" actually means every person or group that ever gets ahold of my hashed password list - including researches, competition contestants, and everyone reading whatever forums the original person uploads it to (pastebin)
–
Anti-weakpasswordsMar 7 '14 at 1:32

@Anti-weakpasswords That's very interesting, if not brilliant, and should be an answer!
–
Volker SiegelJun 12 '14 at 16:09

3 Answers
3

When the attacker knows that every 2nd character is fake, it would not slow them down at all.

Any security measurement which relies on the attacker not knowing how your system works is security through obscurity, which is an anti-pattern. A system is only secure when it is secure against someone who knows exactly how it works.

A lot of the answers seem to be missing you point, as I assume that when you say

and this is my hash: abcd

You already are using a secure and accepted hashing algorithm, rather than you just doing pure obfuscation. In this case I would argue that some obfuscation of hashes that add security as often only databases get dumped without the code and in those cases - and only in those cases - an extra rule that is applied to the hash will make it a lot harder to figure out what is happening and which hashing algorithm has been used.

Of course it's best to make sure that the database doesn't get stolen in the first place, and it's likely that once an attacker has access to a database he will also gain access to your code, but making a hash unrecognizable would make at least quite a lot of those script-kiddie hackers give up.

All in all, would I advice you to do it? Nope, not really. Using a good hashing algorithm and salting your passwords should be more than enough, but in response to your question: yes it does make some sense, no matter how little.